Does anyone know how IAPs and receipt validation is supposed to work when an iOS app is run on a new Arm Mac? I have an iOS app which I'm pleased to discover runs well on my new Arm Mac mini. The app has non-consumable IAPs. At startup it parses the app receipt. A receipt is present, but my existing receipt validation code decides that it has the wrong hash. (This is with the app installed from the App Store, not a local build.) I'm aware that receipt validation is different for native Mac apps, including catalyst apps (e.g. getting a device GUID from the ethernet MAC addresses etc.) But what is supposed to happen in the case of a regular iOS app running on macOS? Is this documented anywhere? Has anyone got IAPs working, with local receipt validation?

Dear Experts, When I try to use Address Sanitizer on my iOS app, it reports "attempting free on address which was not malloc()-ed" whenever a C++ exception is caught. If first saw it inside Apple's libFontParser and filed FB13271831, but I now see it in my own code. The Address Sanitizer stack trace always starts like this: #1 0x215766ae8 in __cxa_decrement_exception_refcount+0x40 (/usr/lib/libc++abi.dylib:arm64e+0x13ae8) Having looked up __cxa_decrement_exception_refcount in the C++ ABI docs, my guess is that the C++ runtime is creating and destroying the exception objects in some way that Address Sanitizer doesn't properly understand, causing it to think that they are being freed without having been allocated by malloc. This is only really a problem because it does not seem possible to continue after ASan has reported this error; the app is terminated. Question: is there a way to tell Address Sanitiser to ignore errors in this function? And/or, is there a way to continue after the error? Thanks.

Has anyone had any luck using Inkscape to edit custom SF Symbols? It seems to work OK except that it doesn't understand the required layer structure. The layers are SVG group elements, which Inkscape doesn't seem to treat as layers. I think it must need some additional attributes to distinguish layers from other groups, or something. Edited to add: specifically it seems to need the attribute inkscape:groupmode="layer" on the element. I'm going to try adding this manually to the template and see what happens!

Dear Experts, Where is the best place to persist an App Attest key id? The docs ( https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity ) say “Record the identifier in persistent storage — for example, by writing it to a file”. That is what I have done, but I have encountered a problem. If a user gets a new device and restores a backup of an old device onto it, the new device will try to use the key id from the old device - which is of course wrong. One solution is to detect the error when the invalid key is used and to generate a new one. Is that the best approach? I am wondering if there is some part of the filesystem that does not survive the backup/restore process, but is otherwise persistent? It should be more persistent than a cache file. (Also looking at the docs again I now see that I am supposed to store distinct keys for each “user”. What is meant by “user” in this case?) Thanks.

Dear Experts, I'm attempting to make a custom icon appear in the iOS Files app, etc., for my file type. I've found a couple of bits of documentation for Info.plist keys: https://developer.apple.com/documentation/bundleresources/information_property_list/utexportedtypedeclarations/uttypeiconfiles describes UTTypeIconFiles, to be included in UTImportedTypeDeclarations. This documentation is very sparse! Older document https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html#//apple_ref/doc/uid/TP40009249-SW9 describes CFBundleTypeIconFiles, to be included in CFBundleDocumentTypes. Which of these should I be using? (Both? Neither?) Nothing I've tried so far has worked. I wonder if I need to, for example, power-cycle to make the Files app pick up the new icons. Also, in Xcode, I've found the Imported Type Identifiers section of the Info settings which has a box labelled "Add imported type identifiers here" - but clicking + and choosing a file does nothing; the box remains empty. Anyone else have that problem? What size should the icons be? The older document suggests some rather small sizes, e.g. 22x29; the newer doc says nothing. Suggestions anyone?

I have a new app which requires iOS 16. App Store Connect wants me to upload screenshots of various sizes, mostly optional - but 5.5" with square corners and physical home button is required. As I understand it, the only device that can run iOS 16 and that has a 5.5" screen is the iPhone 8 plus. I have an iPhone 6 plus, which has the right dimensions, but it doesn't run iOS 16. The newer phones with physical home buttons (i.e. the SE 2 and 3) have 4.7" screens. Apple won't sell me anything older than an iPhone 12, even refurbished. Do I need to buy an iPhone 8 plus from eBay? Is there something that I can do to prevent the app from running on this device, and thereby make this screenshot size not required?

I visit https://appstoreconnect.apple.com/apps A banner at the top of the screen tells me that I need to "provide and verify information regarding your account" for DSA compliance. I click on the "complete compliance requirements" link. The address shown for my business on this page is correct. I click on "Complete Compliance Requirements for (business)" near the top of this page. The address is also correct here. I click on "Complete Compliance Requirements" near the top of this page. This presents an "are you a trader?" popup; I select "This is a trader-provided account" and click Next. This shows a popup headed "Contact Information Verification". This page shows the wrong address. It shows an old personal address, pre-dating the establishment of my business. This popup tells me to contact Dun & Bradstreet to update my address. I click on the "Learn More" link. I follow the instructions to find my business on the D&B website. Of course Dun & Bradstreet already know the correct address for the business, so I am unable to change it. The result is that I am unable to complete DSA compliance. I think the root cause is that I had a personal developer account which Apple transferred to my business when I established it in 2018. Anyone else seeing problems like this? FB13687820

I have an App Attest server implementation which is generally functioning well. From time to time, however, I get receipts which do not refresh when I send them to Apple's server; I get a 404 response. The docs (https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk?language=objc - "Understanding HTTP Response Codes") say this means "No data available for the supplied receipt". Once a receipt is in this state it seems "stuck" i.e. it will never return a new receipt. I have seen this for both the development and production environments. Does anyone know what this means, and what I should do?

Dear Experts, Xcode 14 is giving me a new deprecation warning about sprintf. I understand why this is here (*) but I need to suppress it in some cases. I don't want to disable it everywhere (or lose other deprecation warnings). Specifically, I #include some Boost headers which use it in inline functions. I know that I can use #pragma to disable it, but I don't want to modify the Boost headers. Adding #pragma everywhere that I #include a Boost header is also unappealing. What other options do I have? (*) I'm not enthusiastic about the suggesting in the warning to use snprintf instead; snprintf leaves the destination unterminated on overflow, which can be just as bad as the sprintf behaviour.

If I use SubscriptionStoreView.init(groupID), it seems to be able to look up all the Products that have that subscription group ID. But I don't see any public method for doing that myself. Am I missing something, or is SubscriptionStoreView using a private method to do this lookup? I know that historically it has always been necessary to know the product IDs of all the products you want to sell; you have never been able to ask Store Kit to give you a list. SubscriptionStoreView doesn't seem to have this limitation, which is a bit surprising.

The WWDC video "What’s new in App Store Connect" describes a new feature to nominate your apps for app store features. Does anyone know when this is expected to be available to use? I don't see it immediately, and I don't think the video mentioned a timeline for its general availability.

Documentation for the App Store Connect API is poor, especially in comparison to the good documentation for the now-defunct XML-based "transporter" API. In the hope that it will be useful to others trying to do this in the future, here is how I was able to do a bulk update of my in-app purchases' prices using the API. Step 1: get the IDs for the IAPs, if you don't already know them: GET v1/apps/$app/inAppPurchasesV2 If you have a lot of IAPs, follow any links/next URL to get subsequent pages. The ids are in data/id . Step 2: get the current prices, if you don't already know them. I believe you need to do a separate request for each IAP (right?). GET v1/inAppPurchasePriceSchedules/$iap/manualPrices?include=inAppPurchasePricePoint,territory The price and currency are in included/attributes/customerPrice and included/attributes/currency (I generally only have one "manual" price). Step 3: look up the available price points: GET v2/inAppPurchases/$iap/pricePoints?filter[territory]=$territory The prices and IDs are in data/attributes/customerPrice and data/id. Note this query takes the specific IAP ID. I don't know why. Are the price points specific to the IAPs? Can I reuse a price point ID that I've looked up for one IAP with another IAP for the same app? Step 4: choose your new prices. Step 5: Submit the new prices: POST v1/inAppPurchasePriceSchedules { "data" : { "relationships" : { "baseTerritory" : { "data" : { "id" : "$territory", "type" : "territories" } }, "inAppPurchase" : { "data" : { "id" : "$iap", "type" : "inAppPurchases" } }, "manualPrices" : { "data" : [ { "id" : "$random_id", "type" : "inAppPurchasePrices" } ] } }, "type" : "inAppPurchasePriceSchedules" }, "included" : [ { "attributes" : { "startDate" : null, "endDate" : null }, "id" : "$random_id", "relationships" : { "inAppPurchasePricePoint" : { "data" : { "id" : "$price_point_id", "type" : "inAppPurchasePricePoints" } }, "inAppPurchaseV2" : { "data" : { "id" : "$iap", "type" : "inAppPurchases" } } }, "type" : "inAppPurchasePrices" } ] } In that, $iap is the IAP ID from step 1, $territory is probably a three-letter string like GBR, $random_id is a random identifier that you generate (using the same value in the two places) (I'm not sure what the scope of this is; do I have to check that I don't accidentally send the same value in the future, or does it only exist while this submission is processed?), and $price_point_id is the ID for the price point from step 3. I believe it is necessary to send a separate submission for each IAP (right?) That example makes the change immediately (start and end dates are both null). Note that if you want to schedule a future change, you need to include both the current period and price and the future period and price in the submission. I would like to thank @Efun whose posts in this thread: https://developer.apple.com/forums/thread/727159 helped a lot with understanding this.

Dear Experts, I've just received the exciting new email from App Store Connect telling me that I'm using a "required reason" API call and need to declare it in my privacy manifest. Of course this is easy to fix, I'll just add the code to my privacy manifest - but I thought I'd at least go through the motions of trying to work out what function I am calling and from where. First issue is that the email just tells me that the app "references one or more APIs that require reasons ... including NSPrivacyAcceeedAPICategoryFileTimestamp". Dear Apple, why on earth can't you actually tell me the specific function that I am calling? (FB13689896). So let's see if I can work out what has been detected. I look at the app binary: % objdump --syms App.app I think that is probably more or less what App Review must get from their scan, right? So I can see _stat in there but it doesn't know the corresponding source file. So I go to the build directory with the object files and extract symbols from them all individually, using objdump --syms. Provided that I've not enabled link-time optimisation that works and I can find ... zero calls to stat(). Which tells me that my C++ std::filesystem calls have not been detected! Interesting. So if you want to bypass this amazing new privacy technology, I guess that's the way to go. Anyway if there's a call to stat() in the binary but not in the object files, it must be coming from one of my .a files. That's a bit more difficult to track down as (1) my .a files are not in a convenient single directory, and (2) they may have calls to stat() in archive members that aren't needed and aren't included in this binary. So the question: is there some convenient way to take the binary and identify which object files or static library archive members resulted in which of its UND symbols?

Does anyone have recent experience of what App Review consider acceptable for location purpose strings these days? My map apps simply display a blue spot on the map showing your current location when you turn on the app's location button. That data doesn't leave the app; I'm not selling it to anyone, or doing anything nefarious. For years, I've had concise location purpose strings such as "Your location will be shown on the map". Now, App Review seem to find that inadequate. They say: "One or more purpose strings in the app do not sufficiently explain the use of protected resources. Purpose strings must clearly and completely describe the app's use of data and, in most cases, provide an example of how the data will be used. Next steps: Update the ... location purpose string to explain how the app will use the requested information and provide an example of how the data will be used. " I've just look at what Apple Maps uses as its purpose string, and it's just "Your location is used to show your position on the map, get directions, estimate travel times, and improve search results." I'm only doing the first of those things, so surely "Your location is used to show your position on the map" would get approved, right? Wrong! I have similar issues with the photos purpose string.

I have a file on my Mac of a slightly unusual type. Let's say it's an "XYZ" file. Maybe I downloaded it from somewhere. I don't have any programs on my Mac that know about XYZ files, so if I view it in Finder is is shown with a plain icon and a generic description e.g. "Document". If I check its type, it seems that macOS has allocated it a "dyn.*" UTI: % mdls -name kMDItemContentType ~/foo.xyz kMDItemContentType = "dyn.ah62d4rv4ge81u8p4" I do have an app on my iPad that knows about XYZ files. The app has a UTImportedTypeDeclarations entry for .xyz in its Info.plist. I transfer the file to my iPad using AirDrop. Annoyingly, the iPad does not offer to open the file with the appropriate app. It seems to me that the iPad has blindly trusted the dyn.* UTI that macOS allocated for the file, and which presumably has been sent by AirDrop. It has not used the filename extension mapping from its app's Info.plist to determine that the file is an XYZ file. That may be considered a bug in iOS but that's not my question... My question is: is there anything that I can do on my Mac to tell it that this file foo.xyz is of type UTI com.example.xyz ? I was expecting to find either an md... command to modify the metadata, including the UTI, for a file, or some way to do this by setting an extended attribute. I have not yet found either. Any ideas anyone?